Computing systems such as desktop computers, laptop computers, tablets, netbooks, and servers, are now commonly used by various people and organizations. As the prevalence of computing systems grows, authentication of users and system security on the computing systems continues to be an important concern. Many computing systems use a user password to allow a user access to the computing system (e.g., log into the computing system).
If a non-authorized person obtains a user's password, then the non-authorized person may be able to obtain the privileges and the level of access the user had to the computing system. After gaining the privileges/access of the user, a non-authorized person may attempt to change the settings on the computing system, access network resources, and/or attempt to access sensitive data (e.g., access to the user's files on a local hard drive) on the computing system. For example, the non-authorized person may change network settings on the computing system to redirect network traffic to a different server. In another example, the non-authorized person may attempt to install malicious programs such as spyware, malware, viruses, trojans, keyloggers, and/or worms on the user's computing system. In a further example, the non-authorized person may be able connect to the network resources after gaining the privileges/access of the user. The non-authorized person might gain access to the network resources such as shared files, documents, emails, network drives, websites, and/or network services, by impersonating the user (e.g., by using a user's username and/or password).
In order to enhance the security of computing systems, some computing systems use multi-factor authentication. A multi-factor authentication may use three authentication factors: 1) something the user knows (e.g., the user's password); 2) something the user has (e.g., a security token or smart card); and 3) something the user is (e.g., a biometric factor such as a fingerprint, retinal scan, etc.). One common form of multi-factor authentication is two-factor authentication in which the first factor is the user password and the second factor is a one-time password (OTP) generated by a generator OTP in possession of the user.
To provide short lived certificates to computing device for logon, with a high level security, the user is requested to be authenticated by an authentication server by OTP. When the OTP entered by the user into the computing system is authenticated by the server, the authentication server enrolls the user for a short-lived certificate from a certification authority.
After the certificate is returned to the user, the certificate is saved in the personal certificate store on the user's computer and interacts with the logon components as if it is a smart card logon to the computer.
Two problems with this solution are that subsequent usages of the issued certificate cannot be restricted and that the user has to be online for it to work, forbidding logon to the local machine when no network is available (e.g. in a plane).
Therefore, if the computing system is unable to communicate with the authentication server, the computing system is unable to authenticate the OTP and the user may be denied access to the computing device because the short-lived certificate cannot be generated.
Another traditional approach is to store the RSA key on a server and provide remote usage of the key after proper authentication (possibly OTP) of the user. In this scenario any offline usage of the RSA key is impossible as the key remains on the server at all time.
There is a need to authenticate the user by OTP system and to provide the RSA key to the user even if the computing device is unable to communicate with the authentication server.